IDS and Penetration Testing Lab III Snort Lab



Similar documents
Network Security, ISA 656, Angelos Stavrou. Snort Lab

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Intrusion Detection and Prevention

IDS and Penetration Testing Lab ISA656 (Attacker)

Network Security EDA /2012. Laboratory assignment 4. Revision A/576, :13:02Z

Installation and Deployment

Computer Networking LAB 2 HTTP

Network Defense Tools

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Browser Client 2.0 Admin Guide

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

How to use SURA in three simple steps:

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Remote Desktop Web Access. Using Remote Desktop Web Access

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Using a Remote SQL Server Best Practices

Setting Up Your FTP Server

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Lab - Using Wireshark to View Network Traffic

Livezilla How to Install on Shared Hosting By: Jon Manning

EZ Snort Rules Find the Truffles, Leave the Dirt. David J. Bianco Vorant Network Security, Inc. 2006, Vorant Network Security, Inc.

Using Internet or Windows Explorer to Upload Your Site

Microsoft XP Professional Remote Desktop Connection

Configuring Snort as a Firewall on Windows 7 Environment

ilaw Installation Procedure

owncloud Configuration and Usage Guide

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

Configuring Snort as a Firewall on Windows 7 Environment

Virtual Office Remote Installation Guide

Implementing Microsoft SQL Server 2008 Exercise Guide. Database by Design

Dial-up Installation for CWOPA Users (Windows Operating System)

Lab 1: Network Devices and Technologies - Capturing Network Traffic

IDS and Penetration Testing Lab IIIa

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

Using. Microsoft Virtual PC. Page 1

Technote 20 Using MSIE to FTP into an AcquiSuite

Section 1: Overture (Yahoo) PPC Conversion Tracking Activation

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

STABLE & SECURE BANK lab writeup. Page 1 of 21

TANDBERG MANAGEMENT SUITE 10.0

How To Backup Your Computer With A Remote Drive Client On A Pc Or Macbook Or Macintosh (For Macintosh) On A Macbook (For Pc Or Ipa) On An Uniden (For Ipa Or Mac Macbook) On

User Guide Microsoft Exchange Remote Test Instructions

Snort. A practical NIDS

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Installation Guide - Client. Rev 1.5.0

Server & Workstation Installation of Client Profiles for Windows

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Test Case 3 Active Directory Integration

BlackBerry Internet Service Using the Browser on Your BlackBerry Smartphone Version: 2.8

How to install and run an OpenVPN client on your Windows-based PC

Server Configuration and Deployment (part 1) Lotus Foundations Essentials

Installation Guidelines (MySQL database & Archivists Toolkit client)

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

Secure Messaging Server Console... 2

Lab VI Capturing and monitoring the network traffic

Firewalls and Software Updates

VPN: Virtual Private Network Setup Instructions

Universal Management Service 2015

Working With Your FTP Site

USING CAMPUS ANYWARE OVER THE VPN (WINDOWS XP)

VPS Remote Computing. Connecting to a Windows Server for the first time. 1 Your Server has been installed. 2 Finding the login details for your Server

NSi Mobile Installation Guide. Version 6.2

WordCom, Inc. Secure File Transfer Web Application

Immotec Systems, Inc. SQL Server 2005 Installation Document

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Viking VPN Guide Linux/UNIX

How To Configure CU*BASE Encryption

State of Michigan Data Exchange Gateway. Web-Interface Users Guide

Site Monitor. Version 5.3

M2M Series Routers. Port Forwarding / DMZ Setup

Network Connect & Junos Pulse Performance Logs on Windows

Jim2 ebusiness Framework Installation Notes

MobileStatus Server Installation and Configuration Guide

PRiSM Security. Configuration and considerations

STEP BY STEP IIS, DotNET and SQL-Server Installation for an ARAS Innovator9x Test System

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

Local Caching Servers (LCS): User Manual

How To Gather Log Files On A Pulse Secure Server On A Pc Or Ipad (For A Free Download) On A Network Or Ipa (For Free) On An Ipa Or Ipv (For An Ubuntu) On Your Pc

Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network

Lab Conducting a Network Capture with Wireshark

Extending Remote Desktop for Large Installations. Distributed Package Installs

Compiere 3.2 Installation Instructions Windows System - Oracle Database

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Web VTS Installation Guide. Copyright SiiTech Inc. All rights reserved.

SiteCount v2.0 Revised: 10/30/2009

Network Connect Performance Logs on MAC OS

Installation Instruction STATISTICA Enterprise Small Business

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2010

MiraCosta College now offers two ways to access your student virtual desktop.

USER GUIDE PowerAttachment CRM

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Setup Guide Revision A. WDS Connector

Grand Blanc Community Schools

Talk Internet User Guides Controlgate Administrative User Guide

FireBLAST Marketing Solution v2

Transcription:

IDS and Penetration Testing Lab III Snort Lab Purpose: In this lab, we will explore a common free Intrusion Detection System called Snort. Snort was written initially for Linux/Unix, but most functionality is now available in Windows. In this lab, we will use the windows version, but there is an extra credit section to setup and use Snort on Linux (See Extra Credit Section). Software Requirements: Use of VCL is sufficient but for your personal use we include Microsoft Windows Installation notes. WinIDS AIO Software Pack which mainly includes the following: 1. Snort 2. Active Perl 3. Oinkmaster The package will be provided you (WinIDS AIO); you may also download it from: http://www.winsnort.com 2. WinPcap. If you already installed Wireshark on the Windows XP machine, then you probably already have it. To verify go to Start > Control Panel > Add Remove Programs to check. If not, then download it from here: http://www.winpcap.org/install/default.htm

3. Wireshark. Download from: http://www.wireshark.org/ Lab Exercise: 1. In your WinIDS_Support_Pack folder, install Snort by double- clicking on the Snort Installer file. Keep defaults values. 2. Snort has three main modes of operations. The sniffer mode, the packet logger mode, and the Network Intrusion Detection mode. Do some reading on these modes (http://www.snort.org/docs/snort_manual/node2.html) 3. Snort Modes: a. Sniffer Mode: 1. In a command prompt, cd to c:\snort 2..\bin\snort help >>> View different options for snort. 3. Use the appropriate flag to list available interfaces. (What flag did you use? ) 4. Run snort in the sniffer mode by typing.\bin\snort v i2 Important: Note that you need to replace the i2 with whichever your network interface is (see point 3 above). Also note that this lab assumes that you are not using a wireless interface. If you want to use a wireless NIC card, then you need to install a Pcap for wireless traffic like AirPcap. You should see something like this:

5. Ctrl c will stop the capture. Notice that no data- link headers are being displayed. Find the flag that will also display data- link headers as well as the raw packets in HEX/ASCII. What command/flags did you use? b. Packet Logger Mode: 1. In this mode, Snort will log some activities to a log directory. If you look at the c:\snort\log directory, it should be empty. Type a snort command that will start snort in the Logger mode. (don't forget to specify the output directory.\log after the appropriate flag; also don't forget to specify the right interface). What command did you type?

2. To get some logs, open up a browser and go to www.gmu.edu. 3. Ctrl + c to stop Snort. Now look at the \log directory, you should see some Snort. log files. These files are Capture files and you can import them into Wireshark to view details. Open up Wireshark and import the log file that was just created. Can you see the page request to www.gmu.edu? Provide a snap shot. c. IDS Mode: 1. In the Snort Network Intrusion Detection Mode, Snort uses some configuration files and a set of Rule's files. The configuration files will help configure different options in Snort. The Rule's files are files that include signatures against which Snort is comparing all captured traffic. We will be writing some of these signatures. If some traffic pattern matches some signature, a Snort "alert" will be fired. Snort also has Preprocessors also. Preprocessors will check flow of traffic as well. For example if an attacker sends a packet that has "user:" and then later sends another one that has "root". If there is a Snort signature to trigger on text content: "user: root". It will not catch this attempt of remotely trying to access resources with root privileges. The 'Preprocessor' will try to process the stream of data, and reassemble it before it goes into the detection engine, so it detects such tricks of evading the IDS. As a matter of fact, there is an excellent paper that discusses IDS evasion. Read this article that summarizes it: http://www.securityfocus.com/infocus/1852 2. Look at the main Snort configuration file under c:\snort\etc\snort.conf. There is a line that specifies the Rule's path: var RULE_PATH../rules. Change this line to read: var RULE_PATH c:\snort\rules

This tells the Snort engine where to find the Rules files. If you look at the rules folder now, it should be empty. You can populate it by using a Perl script called Oinkmaster. This script automatically goes to the Snort website to get more rules. We will take the time here to get Oinkmaster up and running to load the rules files. To do this, follow the following steps: A) Install Active Perl. Note that Active Perl is part of the package that you have already downloaded. Also install Oinkmaster which is also part of that package. (Hint: a very useful document is the README.win32 under the following directory ( _Support_Pak- 081007\oinkmaster- 2.0\oinkmaster). B) You need to make a change on the "oinkmaster.conf" file. To specify the URL from which you will download the rules. But to be able to do this, you need to be registered (with a snort username and password). Go ahead and create an account for yourself in the snort website www.snort.com. Once you create the account and login to it, you can scroll to the bottom of the page and click on get Oink Code. This will give you the Oink Code that you will use in your "oinkmaster.conf" file. Once you have this code, replace the <oinkcode> on the line shown below with the new code you just got: # Example for Snort-current ("current" means cvs snapshots). # url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrulessnapshot-current.tar.gz C) Now you can execute the Oinkmaster script to go out and get the rules by executing the following line (Note, the path might be different for you): (Format is: [Perl] [Source Perl script] [output]) c:\perl\bin\perl c:\winids_support_pak- 081007\oinkmaster- 2.0\oinkmaster.pl - o c:\snort\rules. Please note that if some folder names have spaces, you need to include the path in double quotes, like: "My documents". This should start installing the Snort rules and the rules file should be populated.

3. There are some minor changes that need to take place in the "Snort.conf" file. To make it simple, just delete the entire file and create the one provided. 4. Now run snort in the Network IDS mode by typing the following:.\bin\snort c.\etc\snort.conf 5. Keep snort running as an IDS and let s trigger an alert. An easy trick to trigger an alert is to open up your browser and type: www.gmu.edu/readme.eml The following signature from the web- client.rules file should trigger: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"web-client readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/ca- 2001-26.html; classtype:attempted-user; sid:1284; rev:10;) EXTRA CREDIT Go ahead and stop Snort (Ctrl + c). No go to the Log directory and you should see "alert.ids" file. Open the file and you should see more details on the alert. Create the Snort Signatures for the rbot IRC botnet.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information